[8966] in bugtraq
Re: PATH variable in zip-slackware 2.0.35
daemon@ATHENA.MIT.EDU (kay)
Wed Jan 6 14:04:56 1999
Date: Wed, 6 Jan 1999 12:43:41 +0200
Reply-To: kay <kay@PHREEDOM.ORG>
From: kay <kay@PHREEDOM.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <yam7674.830.138166896@mail2.cal.shaw.wave.ca>
On Tue, 5 Jan 1999, Karl Stevens wrote:
> Have to comment here one last time:
> > This is not true. This is output from a clean Slackware 3.6:
> Well, it's true on ALL of my systems (14 to date) :
>
> schon:~$ echo $PATH
>
> /usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin:/usr/
> games:.
> schon:~$ su
> Password:
> schon:/home/karl# echo $PATH
>
> /usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin
Sorry, my fault. The path is even more restricted when you do plain su to
a normal user (it is the $ENV_PATH in /etc/login.defs):
bash# su nobody
bash$ echo $PATH
/usr/local/bin:/bin:/usr/bin
The example in my posting was after direct login as root. The same thing
is observed when used "su - <user>" to set her environment properly:
bash$ echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin \
:/usr/games:.
bash$ su -
Password:
bash# echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/X11/bin:/usr/andrew/bin:/usr/openwin/bin \
:/usr/games:.
> > A quick look through the init scripts reveals no distinguish whether they
> > run as root, other privileged uid, or something.
> Another quick look reveals this:
>
> schon:/etc# grep 'ENV_SUPATH' /etc/login.defs
> # Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
>
> ENV_SUPATH
> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin
But this is only when su is used ?! It was about shell init scripts that
are present by default.
> [snip]
> Granted there are problems with security on a default slackware install
> (including ttyp's in /etc/securetty for one) I don't think this is
> really one of them.. either that, or I'm doing something totally different
> than you are during install.
Agreed. The world-readable /root directory, missing umask (so it is
default to 022), /etc/rc.d/* scripts are some examples. I'm not trying to
say Slackware is insecure. IMHO it is the most do-it-your-self-flavoured
major Linux distribution, how it works depends entirely on you.
I do not know if there is something specific to _my_ install - it's pure
Slackware 3.6, downloaded from a local mirror. All problems mentioned
in the original posting about zipslack were present on my (only :-) box.
--
kay // kay@phreedom.org